A system and method that grants a token to authenticate a user requesting access to an application in a domain is disclosed. The method includes receiving a response from an identity (ID) provider in a second domain responsive to a first request from a user to access an application provided by an application server in a first domain, the response indicating the authenticity of the user in the second domain, randomly selecting a first key and a second key from a key store, generating a secret by randomly permuting the first key and the second key, generating a signature by signing user information associated with the user using the secret, generating an authentication token including the signature, determining whether the authentication token is valid, and responsive to determining that the authentication token is valid, granting access to the first application to the user based on the authentication token.
展开▼